I've been trying to get OpenVPN setup for months and finally have it working! Except I had to resort to a NAT rule on the client rather than what I consider proper routing. Can somebody assist me that knows more about this than me?

So - I have on my home network (UK) an OpenVPN server running on a Raspberry Pi 3. On my client network which will eventually be a holiday home (in Cyprus), I have an ISP provided router (which I really can't change and not even sure we can configure it) which I will then plug in a DD-WRT router running OpenVPN client.

To simulate this I currently have the Raspberry Pi on my home network and another network setup for me to test. This is currently simulated as a USB 4/3G connection on a router with the said Belkin DD-WRT router plugged into it. It's working through the 4/3G to my home network but I've had to enable NAT on the Belkin OpenVPN config (iptables).

Here's a diagram of what I'm trying to achieve:

This is so my parents (in Cyprus) can leave everything as is, but simply connect another (the new DD-WRT) router from the WAN port into current ISP router LAN port. Then they can simply use VPN by connecting to a new Wi-Fi network. Everything else will be as it was. One main reason for this is they want to use Amazon Fire Stick for TV and I really tried to get OpenVPN for Android on it but it just wan't working - so dual router setup should be better and easier.

So, this is all working as I want - send everything (including DNS) down the OpenVPN tunnel. I just would like to understand exactly what routing info I'm missing. Or how do I configure the client side network routers to overcome this NAT issue (double NAT I guess??)?

I have opened 1194 UDP port into my home network. The pi is configured to forward IPv4. The iptables on the Pi is:

The home router also has a static route to the VPN network 10.8.0.0/22 via the Raspberry Pi address (192.168.16.16/22).

I have on the (simulated) holiday home main router added a static route to 192.168.20.0/24 via the static LAN address (192.168.10.50) or WAN address on the DD-WRT router. I have also added a rule on the DD-WRT 2nd router to allow it to forward requests to 192.168.10.0/24.

So, here's the IPTABLES on the Belkin DD-WRT which I don't feel is what I really want!

If I comment this last line out the VPN connects but I have no route from behind the other router - nothing works. If I add the last line in (as shown) everything works. So when connected to the VPN, browsing shows my home IP and no DNS leak. Traceroutes all look good as I'd expect. I can connect to the first router as everything is as it should be (no VPN).

Can someone explain it to me and help me understand why I need the MASQUERADE? Is there any way around it with dual router client setup?

I started again with a similar configuration but better hardware. I have replaced the Raspberry PI (in the UK) and the Belkin OpenVPN client router with Asus RT-AC68U devices running Kong build of DD-WRT.

The Open VPN server is now on 10.11.12.1 and 1st client (Cyprus) ends up being 10.11.12.2 so the OVPN subnet is now 10.11.12.0/24.

I have updated the diagram with IP/subnet changes in RED.

I still have to enable NAT though (and tick to disable firewall) on the Open VPN client config page in the DD-WRT firmware Cyprus side. The actual SPI firewalls are still running on both routers, I'm just talking about the NAT and use firewall oprions on the Open VPN client page under DD-WRT.

I can get to and administer ALL routers (even the cyprus one surprisingly), so I'd love to get this working without NAT.
I must be missing a 10.11.12.0/24 static route entry on one of the routers but I'm confused about which one. Without NAT option on the client, any windows clients my Mum connects to the Asus in Cyprus can see the VPN tunnel but not get anywhere (all tracerts just timeout from her end). Or, maybe I'm missing an IPTABLES rule somewhere but I see no drop packets in both Asus firewall logs (I set syslogd to medium and log drops). I see lots of telnet drops her end!

I can see, from the UK network, her Asus on the VPN address 10.11.12.2 and of course the Asus here (OVPN server) on 10.11.12.1.

So, without the NAT option on her end, if I SSH into her Asus (on 10.11.12.2) from here, and issue a tracert to any address it seems fine. nslookups also seem fine, but clients connected to it (which I can not administer from here) do not work. I enable NAT as I say and it works.

slime-uk wrote:without the NAT option on her end, if I SSH into her Asus (on 10.11.12.2) from here, and issue a tracert to any address it seems fine. nslookups also seem fine, but clients connected to it (which I can not administer from here) do not work. I enable NAT as I say and it works

My guess was that the ISP provided router would need to know where to send packets destined for 192.168.50.x/24 and the VPN subnet of 10.11.12.x/24 and so I set both to the ISP provided LAN address of the Asus (192.168.10.250).

I'm pretty sure I did similar on the Asus - well I certainly told it what to accept traffic from 192.168.10.x/24 in IPTABLES:

I guessed from what I've read that the DD-WRT openvpn client router would be aware of the 10.11.12.x/24 subnet. I guess it is, but clients connected to it are not? Is that the issue here? It certainly feels that way typing this in!

Ah. Ok. So in windows it seems you can do a route -p -add. I'll look at this but will need my Mum online to do this later.

What do I use as the gateway?

10.11.12.0 is the subnet to add with a 255.255.255.0 mask but what is the gateway. Do I use 10.11.12.1 or .2 or the true Asus address 192.168.50.1 or the true ADSL router address of 192.168.10.254? Too many routers and networks - I'm confused! Or 192.168.10.250?